Method, arrangement and secure medium for authentication of a user

ABSTRACT

When confidential data or areas of an EDP system ( 2 ) are accessed by a user ( 9 ), the user is granted access only if he registers ( 16 ) with the EDP system correctly with a user name and a password and, in addition, can identify himself as having access authorization using an access code ( 21 ), to which only he has access, from a database ( 5.2 ). The database is stored on a chip card ( 5 ), and access to the database has dual protection. Access to the access codes in the database is given only to that user who can correctly authenticate himself ( 12 ) to the chip card using biometric data, for example. In addition, the access codes in the database can be accessed only by a program ( 5.1 ) which is stored on the chip card and which can be activated only following correct authentication to the chip card by the user and which needs to have correctly authenticated itself ( 20 ) directly on the database using an ID incorporated in the program code.

TECHNICAL FIELD

[0001] The invention relates to a method for authenticating a user foraccess to protected areas, where an access code is read from a databasestored on a security medium and is transmitted to a data processingapparatus. The invention also relates to a corresponding arrangement andto a corresponding security medium for such access to a data processingapparatus.

PRIOR ART

[0002] As modern communication systems spread, the need to use thesecommunication systems for applications which were originally notdeveloped for such systems also increases. By way of example, goodspurchases and sales or else legal and banking transactions are beinghandled more and more often over communication networks which arepublicly accessible. One example of such a communication network is theInternet, which provides a simple, rapid and cost-effective way ofcommunicating world-wide. However, communication over such networks isunprotected, in principle, i.e. can be monitored and even altered byanybody who has a little technical know-how and the right equipment.

[0003] There are various reasons in favor of protected communication,however. By way of example, when the information transmitted is notintended to be made accessible to the public, when it is necessary toensure that the information arrives exactly in the form in which it wassent, or when the parties for a transaction are not known to one anotherand wish to check the identity of their opposite counterpart beforetransmitting confidential information. This applies particularly also tobanking transactions such as “home or online banking”, where a bank'scustomer manages his accounts himself over the Internet, i.e. checksaccount balances, makes payments or purchases shares, for example.

[0004] To authenticate a user who uses the Internet, for example, toregister on his bank's homepage, various options have already beenproposed. One option involves the user logging on by entering not only auser name and password but also the next particular access code from ascratchlist which is available in paper form and is known only to theuser (and naturally to the bank). If the user's scratchlist is stolen,however, the thief can pretend to the bank that he is the new holder andcan obtain unauthorized access to the user's accounts. Proposals havealso already been made to store the scratchlist in electronic form, forexample on a diskette. However, it can also be discovered by spying inthis case too, for example by virtue of its being read by anunauthorized third party when the user is online. In addition, it isnaturally also possible to get into the bank's EDP system and to obtainthe information required in this manner.

[0005] Another option is to use a processor-assisted card with automaticgeneration of an access code by a small program which is executed inparallel both on the card and on the bank server. However, concurrentlogging allows this program to be reconstructed and an access codesubsequently generated independently to be put to misuse.

[0006] In other, known systems, “chip cards” are used which storebiometric data for the user (for example fingerprints, data about theuser's iris or about the user's voice) for identification purposes. Inthis case too, however, it is possible to use concurrent logging toobtain possession of these personal data and to feign the user'sidentity to the bank server when attempting to log on for misuse.

[0007] There is thus currently no system for securely authenticating auser when accessing confidential data over a public network such as theInternet.

DESCRIPTION OF THE INVENTION

[0008] It is an object of the invention to specify a method of the typementioned initially which avoids the problems which exist in the priorart and, in particular, permits secure authentication of a user foraccess to protected areas.

[0009] The way in which the object is achieved is defined by thefeatures of claim 1. In line with the invention, authenticating a userfor access to protected areas involves an access code being read from adatabase and being transmitted to a data processing apparatus. The dataprocessing apparatus checks the user's identity and grants him access tothe desired areas if he has been correctly authenticated.

[0010] The database is stored on a security medium, and access to thedatabase is possible only for the previously authorized user, i.e. thecorrect access code for transmission to the data processing apparatuscan be read from the database only if authentication of the user hasbeen carried out beforehand and the user has been correctlyauthenticated.

[0011] The code is read from the chip card database by starting anappropriate program, called mediator program below, and by the mediatorprogram in turn starting a program stored on the chip card, called cardprogram below, and asking this program to read a code from the database.To increase security further, the mediator program first needs toauthenticate itself correctly on the chip card or with the card programbefore the card program can read a code from the database. By way ofexample, this is done by virtue of the chip card checking whether themediator program is able to identify itself using an authorization codewhich the mediator program fetches from the data processing apparatus,for example, and which is also stored on the chip card or is calculatedby the card program. Another option would be for such an authorizationcode to be recalculated whenever the chip card is accessed, for exampleon the basis of user data, the time, the number of access codes stillavailable in the database, the latter's checksum, the user's digitalsignature, the user's public key or other information.

[0012] The mediator program is, by way of example, a Java program, whichhas the advantage that it is not necessary to give any consideration tothe software and/or hardware platform used by the user.

[0013] Once both the user and the mediator program have been correctlyauthenticated, the card program reads the next code from the databaseand transfers it to the mediator program. The mediator program transmitsthe received code to the data processing apparatus, which performs acheck on the code. If this check is successful, the user is permitted toaccess the protected areas. Otherwise, the user is refused access and anerror message is displayed, for example.

[0014] The data and/or areas are, by way of example, confidentialinformation stored in the data processing apparatus, with access to allthe data or areas of the data processing apparatus also being able to belimited or controlled. Alternatively, they can be physical areas such asrooms or else countries which the user would like to enter, for example,in which case the security medium is a type of passport or key forentry.

[0015] The inventive method is a combination, a nest of a plurality ofauthentication methods. So that the user actually obtains possession ofthe correct access code, i.e. is able to transmit said access code tothe data processing apparatus, he first needs to identify himselfcorrectly to the security medium.

[0016] It is therefore not sufficient for a potential attacker tomonitor the insecure network, because a new access code is used whenevera connection is set up. It is not possible for the attacker to guess thenext access code, because the access codes are generated beforehand byan algorithm for generating random numbers and are stored in thedatabase on the security medium. Monitoring as these access codes aregenerated and reconstruction of the corresponding program are thereforenot possible.

[0017] In addition, it is also not sufficient to purloin the securitymedium from the user, because only the user himself is able toauthenticate himself correctly to the security medium and hence toenable access to the access codes stored in the database.

[0018] It is similarly impossible for the reading of an access code tobe initiated using any program, since this requires a special mediatorprogram which furthermore needs to authenticate itself with the cardprogram. If this card program has been extracted from another card, theidentification gives a negative result and access to the database on thecard is prevented. This authentication incorporates a further obstaclewhich makes it additionally more difficult for the thief to read anaccess code, even if he were to succeed in correctly authenticatinghimself to the security medium.

[0019] Suitable security media which can be used are primarilyapparatuses which have a memory for electronic data, a processor forprocessing such data and, if necessary, interfaces for communicatingwith the surroundings or with other devices. Since such security medianeed to be portable and hence also small and lightweight, chip cards areperfectly suitable for this purpose. For this reason, the term chip cardis used in the majority of cases below without thereby excluding othersecurity media.

[0020] To authenticate the user to the security medium, it is possible,in principle, to use any known method (for example on a software basisby entering a password or a PIN, or else on a hardware basis, forexample by inserting and rotating a correct key or by inserting adongle). Advantageously, however, a method is used in which the user'sidentity is checked using user-specific identification features. Suchfeatures include, by way of example, biometric data for the user such asa fingerprint, the frequency spectrum of his voice or the structure ofhis iris. Other biometric data are entirely conceivable.

[0021] The user's authentication is now checked by first, in conjunctionwith the production of the chip card, detecting user-specificidentification features for the chip card holder and storing them in asuitable form in the memory on the chip card. When the chip card is usedby the user, the same user-specific identification features areascertained again and are compared with the identification featuresstored on the chip card. If these features match, the user has correctlyauthenticated himself and the chip card can be activated.

[0022] Instead of a single user, a user group whose members wish toaccess the confidential data may naturally also be involved. The methodsteps described above or below can easily be adapted to a plurality ofusers.

[0023] Once the chip card has been activated, the next access code,subsequently also called code, can be read from a database andtransmitted to the data processing apparatus. When a company's own EDPsystems are accessed, in which case the user and the data processingapparatus communicate exclusively via internal communication networks,such complex security precautions are admittedly not absolutelynecessary, but they can nonetheless be useful. Preferably, however, theinventive method is used where the data processing apparatus is accessedover a public communication network, such as the Internet.

[0024] So that, where the type of data transmitted so requires, theconfidentiality of the transmitted data is also ensured, thecommunication between the user and the data processing apparatus isencrypted. Internet pages are typically displayed using specialprograms, “browsers”, which are stored on the device used by the userfor Internet access and are executed thereon. Such browsers normallyhave in-built mechanisms for encrypting the communication between theuser and the server in question. Encryption is performed using knownencryption methods, for example using an asymmetrical encryption methodsuch as the public key method, using a key or one or more correspondingkey pairs comprising a public and a private key. To encrypt thecommunication using an asymmetrical method, the two communicatingparties typically require one key pair each.

[0025] The user's key or keys are preferably stored on the chip card,where they can be read by the user or by his browser or computer and canbe temporarily stored on the latter.

[0026] As already mentioned, the encryption itself is performed usingone of the known asymmetrical encryption methods, for example. Thisinvolves the user encrypting the data he sends using one key, anddecrypting received data using the other key. The same also applies tothe data processing apparatus, which takes the corresponding keys fromits database. At the user end, the keys are stored at a locationprovided for this purpose, for example on the user's computer and/or onhis browser and/or, so that the user is more mobile, preferably on thechip card.

[0027] To prevent unauthorized reading of the keys temporarily stored onthe computer or in the user's browser, they can be deleted from thebrowser or from the computer as soon as the user logs off the server'shomepage or when the keys are no longer required.

[0028] The length of the keys used depends on the security desired orrequired and is between a few and several thousand bits in length. Thelonger the keys are, the more difficult it is to crack the keys.

[0029] It is naturally also possible to use other asymmetrical or elsesymmetrical encryption methods or combinations thereof. However, saidpublic key method has the advantage that it is already widely used andrecognized.

[0030] When encrypted communication has been set up, there preferablycomes a next step in the registration process, which involves the userbeing asked to enter a user name and a password. If the details providedare not correct, an error message is displayed and the registrationprocedure is either terminated or the user is given another chance toenter the required data correctly.

[0031] If the details provided are correct, the procedure continues byreading the code from the database. As mentioned earlier, the code isread by the card program after both the user and the mediator programhave correctly authenticated themselves with the security medium.

[0032] Authentication is preferably also required from the card program.However, the card program needs to authenticate itself directly on thedatabase before it can read the next code. By way of example, theauthentication can be hidden in the programming of the card program, orit is performed as in the case of authentication of the mediator programwith the chip card using an authorization code. The card program can beof appropriately card-specific design, which means that the card programon a first chip card cannot be used to read the code from the databaseon a second chip card, since it cannot correctly authenticate itselfwith the database. Each chip card can more or less have an individualcard program or individual authentication. If a card program does notcorrectly authenticate itself with the database, no access code is readand/or the database deletes itself or is deleted.

[0033] When the card program has transferred the code to the mediatorprogram, the two steps below are preferably carried out in order toensure that a code which has been read cannot be read from the databasea second time and used again. Following receipt of the code from thecard program, the mediator program acknowledges this to the cardprogram, which then irrevocably deletes from the database the code whichhas been read.

[0034] In this context, however, the code transmitted to the dataprocessing apparatus by the mediator program might not match the codewhich the data processing apparatus expects. This can happen if, by wayof example, the communication channel has been interrupted during anearlier registration procedure precisely at the moment after themediator program acknowledges receipt of the code but has not yettransmitted the code to the data processing apparatus. Upon the nextregistration procedure, a new code is then read from the database, withthe previous code not yet having been deleted from the data processingapparatus's list and consequently still being shown there.

[0035] When the code is checked, the data processing apparatus thusinspects not just whether the code received matches the next code on itslist, but also whether the code received matches one of the succeedingcodes. If it finds this code, then it gives the user access.

[0036] The text below will describe an inventive arrangement forauthenticating a user for access to confidential data or areas of a dataprocessing apparatus, particularly a method like the one explainedabove. The arrangement comprises a security medium, first means foraccessing the security medium, and second means for ascertaininguser-specific identification features, such as biometric data for theuser. The security medium, for example a chip card, has not only aprocessor but also a memory which stores a database having a pluralityof codes and a program for accessing this database and alsouser-specific identification features for the user. In addition, thearrangement comprises third means for comparing the ascertaineduser-specific identification features with the user-specificidentification features which have been detected in conjunction with theproduction of the security medium and have been stored on the securitymedium.

[0037] First of all, the first means allow access to the chip card, i.e.electronic communication with the processor and the reading ofinformation stored in the memory, such as a code, from the database. Byway of example, it is possible to use a “chip card reader” or anotherdevice, which can be connected to the computer used by the user for thepurpose of data interchange and has appropriate electrical contactpoints which are used to set up the necessary connections when the chipcard is inserted.

[0038] It is entirely possible for the third means for comparing theuser information to be accommodated in an already existing device in thearrangement, for example in the computer or in the chip card reader orelse in a separate device. Advantageously, however, the third means areintegrated on the chip card itself, because this dispenses with readingand transmitting the information stored on the card. The user-specificinformation which have been detected when the chip card is produced andwhich are stored on said chip card thus remain on the chip card andnever need to be read therefrom.

[0039] In addition, it is also possible for the second means, i.e.appropriate sensors or interfaces, such as optical sensors fordetermining the iris structure or a fingerprint from the user, acousticsensors for determining the frequency spectrum of the user's voice orelse other sensors and interfaces, such as a keyboard for entering apassword, to be accommodated in an already existing device or in aseparate device. Preferably, however, the second means are alsointegrated in the chip card. This has the advantage that theuser-specific identification features ascertained are processed at thatvery location, i.e. can be compared with the user features stored in thechip card's memory and do not first need to be transmitted there.

[0040] In another preferred embodiment, the sensors are integrated inthe chip card reader. As a result, although the user-specificidentification features ascertained need to be transmitted to the chipcard, this is not a problem because the chip card has been inserted inthe chip card reader, and the chip card needs to be of less complexdesign.

[0041] As already mentioned, the communication between the user and thedata processing apparatus is encrypted, by way of example, using anasymmetrical encryption method based on the public key method. So thatthe data processing apparatus also uses the correct keys, i.e. theuser's keys, for encryption, it first needs to determine the identity ofthe user. Preferably, the chip card stores information corresponding tothis for identifying the user, for example the user's public key, hiselectronic signature or other user information. This information istransmitted to the data processing apparatus, which analyzes it andinfers the user's identity therefrom. The electronic signature couldalso be used to check the latter's validity at the same time, forexample.

[0042] In another preferred embodiment of the inventive arrangement, thechip card has fourth means which can be used to delete the database inthe chip card's memory. This is purely a precautionary measure andhappens, by way of example, if the chip card establishes that thedatabase is being accessed for misuse, or other discrepancies.

[0043] The detailed description below and the patent claims in theirentirety reveal other advantageous embodiments and combinations offeatures of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

[0044] In the drawings used to explain the exemplary embodiment:

[0045]FIG. 1 shows an inventive arrangement for user authentication;

[0046]FIG. 2 shows a chip card for use in the arrangement shown in FIG.1, and

[0047]FIG. 3 shows a schematically illustrated flowchart of theinventive method for user authentication.

[0048] In principle, identical parts have been provided with identicalreferences in the figures.

[0049] Ways of Implementing the Invention

[0050] The exemplary embodiment below describes the authentication of auser by a server on which, by way of example, a bank's Internet page isstored and which the user would like to access via the Internet and, byway of example, would like to view personal and hence confidential datasuch as his own account balances. However, the Internet is an openmedium with no integrated encryption method or other security method.That is to say that a user who is not just interested in confidentialcommunication but also wishes to ensure that only he can access hispersonal data needs to take appropriate measures. A similar situationnaturally applies also to the server, which must allow no one other thanthe user himself to access his data.

[0051]FIG. 1 shows the Internet 1, to which both the server 2 and theuser's computer 3 are connected. It goes without saying that the two canalso be connected to the Internet indirectly via an Internet ServiceProvider. Connected to the computer 3 is a reader 4 into which the usercan insert his chip card 5.

[0052] The reader 4 is able to communicate with the processor 7 on achip card 5 which has been inserted into the reader 4 or to access thechip card's memory, which in this case is incorporated in the processor7. As FIG. 2 shows, the chip card 5 has contact points 6 for thispurpose which are connected to the processor 7 and via which, when thechip card 5 has been inserted, electrical connections between theprocessor 7 and the reader 4 or the computer 3 are set up withcorresponding contact points in the reader 4. Naturally, contactlesscommunication methods, such as radio or methods based on magneticinduction, are also suitable for the communication between the chip card5 and the reader 4.

[0053] In addition, the chip card 5 has a sensor 8 which, in theexemplary embodiment chosen, is used to determine a fingerprint from theuser. The user can place the finger in question onto the sensor 8 whenthe chip card has been inserted. Instead of incorporating the sensor 8on the chip card 5, it is also possible to accommodate it in the reader4, for example.

[0054]FIG. 3 schematically shows a chart of the method illustrating itsprocedure when the user registers on the bank's homepage. To open 10 thehomepage, i.e. when the access page 14.1 is opened 10, on the bank'sserver 2 via the Internet 1, the user 9 enters the appropriate URLaddress in his browser or clicks on a corresponding link, for example.

[0055] When the chip card 5 has been inserted 11 into the reader 4, thereader 9 is authenticated 12 to the chip card 5 by placing his thumb oranother finger on the sensor 8. This procedure can naturally also beexplained and described to the user 9 on the access page 14.1 which hasbeen selected. The chip card 5 checks the detected fingerprint andcompares it with the user's fingerprint stored in the memory on the chipcard 5, the term fingerprint being able to be understood to mean notjust optical features, such as line arrangement, but also otherfeatures, such as distribution of heat. If the two fingerprints do notmatch, i.e. if authentication 12 of the user 9 to the chip card 5 hasfailed (not shown), the chip card 5 is not activated and no access codecan be read from the database.

[0056] If the fingerprints match, on the other hand, the chip card 5 isactivated and the registration procedure can be continued, which is doneby clicking on a “Continue” button on the access page 14.1 displayed bythe server 2, for example.

[0057] Next, encrypted communication is set up 13 between the server 2and the user 9 or his computer or browser. For this, by way of example,the information stored on the chip card for identifying the user 9 istransmitted to the data processing apparatus, which can use thisinformation to determine the user's identity and to provide thecorresponding keys. From this time onward, the server 2 now communicatesonly in encrypted form with the user 9, the encryption being performedusing a known asymmetrical or symmetrical encryption method.

[0058] When encrypted communication has been set up 13, the registrationpage 14.2 is opened in order for the user to be logged on 15. The user 9is logged on 15 by virtue of the user 9 entering a user name and theassociated password. This is followed by inspection 16 by the server 2in a user database 17 which is accessible to the server 2 and ispreferably stored on the server 2 itself, this involving the server 2checking whether the user name entered matches the previously determinedidentity of the user. The server 2 also checks whether the user 9 hasentered the correct password, i.e. that associated with the user name.

[0059] If both the user name and the password are correct, theregistration procedure is continued by starting 19 a program which, byway of example, is in the form of a Java program 18 and has beendownloaded by the user 9 with the registration page 14.2.

[0060] Before the Java program 18 can become active, however, it needsto register 20.1 with the chip card 5, or to be more precise with a cardprogram 5.1 stored thereon. To this end, the Java program 18 fetches anauthorization code 20 from a server program 2.1 running on the server 2,for example. Correct registration 20.1 is followed by registrationacknowledgement 20.2 by the card program 5.1, and the Java program 18sends the card program 5.1 a request 21 for transmission of the nextscratchlist code.

[0061] However, the card program 5.1 also first needs to authenticateitself to the card database 5.1, which is likewise stored on the chipcard 5, before it can open the database. Once this authentication 22 hasbeen completed correctly as well, the card program 5.1 can read 23 thenext code for access authorization on the server 2 from the carddatabase 5.2. After or at the same time as forwarding 24 of the accesscode which has been read to the Java program 18, the Java program sendsthe card program 5.1 acknowledgement 25 of correct receipt of the accesscode 21. When the card program 5.1 receives this acknowledgement 25, itdeletes 26 from the card database 5.2 the access code which has justbeen read.

[0062] When the Java program 18 has acknowledged receipt of the accesscode to the card program 5.1, this access code is transmitted 27 to theserver program 2.1. The server program initially checks 28 the accesscode. This involves the server program 2.1 inspecting whether the accesscode sent to it matches the next access code on the server's list, onthe server database 2.2. If so, it grants the user 9 permission 29 toaccess 30 the desired data. Communication between the server 2 and theuser 9 continues in encrypted form.

[0063] If the access code does not match the next code from the serverdatabase 2.2, the server program 2.1 checks further whether the accesscode matches one of the subsequent access codes from its server database2.2. If it finds the access code at a later point in the server database2.2, it likewise gives the user 9 permission 29 for the desired access30. Typically, the server program 2.1 will then set its internalpointer, which respectively points to the next valid access code, to thesuccessor to the transmitted access code and will delete all the accesscodes before that from its server database 2.2.

[0064] The inventive method can be used to stop virtually allconceivable attempts to access confidential data for the purpose ofmisuse. If, by way of example, the registration of a user isconcurrently logged, the attacker acquires knowledge only of theencrypted, unique access code, which, even if it can be decrypted,cannot be used for a second registration procedure. Any attempt to reador to copy the chip card via the Internet when the user is currently online, for example, also fails, because the chip card can be activatedonly after correct authentication by the correct user. Even an attackinvolving an attempt to access the user's chip card using a foreign cardprogram, for example that from another chip card, can be deflected. Thisis because before the chip card enables access to the card database, theforeign card program needs to correctly authenticate itself directly onthe card database. This can be done only by the correct card program,however, which is the only one to have the unique identification coderequired for this purpose.

[0065] Even if the card is lost or stolen, it is of no value to anattacker because he cannot activate it. Should he nevertheless succeedin doing this, for example because he has obtained a fingerprint fromthe user and can additionally feign the user's physical presence to thechip card, he will get no further, because he knows neither the username nor the password for logging onto the server. Only if a potentialattacker were also to obtain this information would it be possible togain unauthorized access to the confidential data. However, the userought to have noticed the loss of the chip card in the meantime and tohave informed the appropriate offices of this, resulting in the chipcard being immediately disabled.

[0066] In summary, it can be stated that the user authentication to thechip card and the individual card program for reading the access codesfrom the card database can provide dual protection for access to thecard database and can effectively stop access to the access codes storedin the card database for the purpose of misuse. Since the access codelist is generated at a secure location before storage on the chip card,and the corresponding algorithm cannot be discovered, none of the accesscodes still to come on the access code list can be calculated using thesystem. Furthermore, since access codes which have been read once aredeleted from the card database before they are sent to the server, it isalso not possible to reproduce the access codes even if the transmitteddata are concurrently logged for a relatively long period.

[0067] The invention thus ensures that the user's identity can bechecked with a level of security which has not been obtained up to nowand that confidential data can be accessed only by the authorized user,who is the only person to have the necessary knowledge and means foractivating the chip card at all. Even a targeted, professionallyprepared attack will not be successful.

1. Method for authenticating a user for access to protected areas, wherean access code is read from a database stored on a security medium,particularly a chip card, and is transmitted to a data processingapparatus, characterized in that the user is authenticated before theaccess code is read, a mediator program, particularly a Java program, isstarted, a card program stored on the security medium is asked by themediator program to read the access code, the mediator program isauthenticated by the security medium, and, if the mediator program andthe user have been correctly authenticated, the access code is read fromthe database by the card program, is transferred to the mediator programand is transmitted to the data processing apparatus by the mediatorprogram.
 2. Method according to claim 1, characterized in that the cardprogram authenticates itself on the database, and the database does notread an access code and/or deletes itself or is deleted if the cardprogram does not correctly authenticate itself.
 3. Method according toclaim 1 or 2, characterized in that the mediator program acknowledgesreceipt of the access code to the card program, and the card programdeletes the access code from the database afterwards.
 4. Methodaccording to one of claims 1 to 3, characterized in that the user isauthenticated by virtue of user-specific identification features,preferably biometric user data, being ascertained and these featuresbeing compared, particularly by the security medium, with useridentification features stored on the security medium beforehand. 5.Method according to one of claims 1 to 4, characterized in that the dataprocessing apparatus is accessed via a public communication network,where communication between the user and the data processing apparatusis encrypted and the encryption is performed using an asymmetricencryption method, particularly a public key method, and the userpreferably inputs a user name and a password in order to access the dataprocessing apparatus.
 6. Method according to one of claims 1 to 5,characterized in that the data processing apparatus checks the accesscode transmitted by the mediator program, and the user is permitted toaccess the, particularly confidential, data or areas if the check wassuccessful.
 7. Arrangement for authenticating a user for access toprotected areas, comprising a data processing apparatus forauthenticating the user, a security medium and first means for accessingthe security medium, the security medium having a processor and amemory, characterized in that the memory stores a database having aplurality of access codes, a program for accessing the database anduser-specific identification features for a user, in that an access codecan be read from the database exclusively by the program, and thesecurity medium has means for authenticating a mediator program whichasks the program to read the access code, in that the arrangement hassecond means for ascertaining user-specific identification features,preferably biometric user data, and the arrangement has third means forcomparing the ascertained user-specific identification features with theuser-specific identification features stored on the security medium. 8.Arrangement according to claim 7, characterized in that the second andthird means are integrated in the security medium.
 9. Arrangementaccording to claim 7, characterized in that the third means areintegrated in the security medium and the second means are integrated inthe first means.
 10. Arrangement according to one of claims 7 to 9,characterized in that the memory stores information for identifying theuser.
 11. Arrangement according to one of claims 7 to 10, characterizedin that the security medium has fourth means for deleting the databaseif it is accessed for misuse.
 12. Security medium for authenticating auser for access to protected areas, comprising a processor and a memory,characterized in that the memory stores a database having a plurality ofaccess codes, an individual program and user-specific identificationfeatures for a user, an access code can be read from the databaseexclusively by the individual program, and the security medium has meansfor authenticating a mediator program which asks the individual programto read an access code.
 13. Security medium according to claim 12,characterized in that it has means for determining user-specificidentification features and also means for comparing the user-specificidentification features stored in the memory with the determinedidentification features.